From patchwork Mon Jul 30 01:33:29 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 9839
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 2002:a02:104:0:0:0:0:0 with SMTP id c4-v6csp3341177jad;
	Sun, 29 Jul 2018 18:34:24 -0700 (PDT)
X-Google-Smtp-Source: 
 AAOMgpcp55XxI8UUQIpmvAiKas1T1N+xIKLa9w6n16brvapM36UwadmakaBhhHrQ8QTLMnaA0q54
X-Received: by 2002:adf:c78e:: with SMTP id
	l14-v6mr15405939wrg.230.1532914464775;
	Sun, 29 Jul 2018 18:34:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1532914464; cv=none;
	d=google.com; s=arc-20160816;
	b=u8X9pyQ40nMs9eRftawpKs5iYXfRIqObbGck5xjpnoHO2TJBs/pduqrpO1ojoA2+nc
	EXQF2fZ+aiX5NpDWm+mvKdWPnrsDnCvkYVS9w0LWzgOvWz82jkVtTWTqwJ78uRSTn0sw
	sNGsrZ8tBJvgu0gXRR3YQrF2RAVgESqriM8wWctxxf7m11/f+pB3bqVlvxlx6ZYtVlE2
	z2dr+iu6XQ+2KMFv52DhKAjtnzsjs9hm6jQORSsi2TylsmiXf165sx8COi04b+GdojEo
	uQmI87HhKf6S2ZN55CIgyw978FCZs0OV5mr6jo6J/NU4UNjf61bXpZ7QFNgyayC5CnKa
	RCug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=wQp3cmeeBjquF/Q0H34BmWQzPIfnowqI6f53UtElncA=;
	b=BQ96P1vpkGiAhjaPGVwr1gUiRjYgcrGIX59hnHx+jFRvPsy/GGXMUG4LDoTaibz4MK
	wr3FyuTrSa0ofTaM+sfW4iM8EMvSLA3uqG3rOQG6OCkaiEowytR5xKKHfzYrwB6ivtMo
	1OQL0IHFsO/YZROBVfYf2NXcLWUesb5NgrrOy4+OOqKKavKUXigBmhgjtElPMw2o7519
	uLoM+RPP7n2avxpOhblthGZy8nWfqL3Y/46ApY87e/Ce77IiIC8yENmdyhlq9A8HoL5Z
	ztEcGZkVdiPs+iPc193xvXFZNkuUQ11RcGkRACuEsqW2AnXzj3AOyklwqXp/rYhLzgbB
	P0hg==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	y102-v6si9687484wmh.194.2018.07.29.18.34.24;
	Sun, 29 Jul 2018 18:34:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C098E68A45E;
	Mon, 30 Jul 2018 04:33:57 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-qmta-pe02-2.mx.upcmail.net
	(vie01a-qmta-pe02-2.mx.upcmail.net [62.179.121.182])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 274DF68A44C
	for <ffmpeg-devel@ffmpeg.org>; Mon, 30 Jul 2018 04:33:51 +0300 (EEST)
Received: from [172.31.218.45] (helo=vie01a-dmta-pe05-3.mx.upcmail.net)
	by vie01a-pqmta-pe02.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1fjx4Z-00043h-Bp
	for ffmpeg-devel@ffmpeg.org; Mon, 30 Jul 2018 03:34:07 +0200
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe05.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1fjx4U-00022Q-1V
	for ffmpeg-devel@ffmpeg.org; Mon, 30 Jul 2018 03:34:02 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id GpZv1y00i0S5wYM01pZwyb; Mon, 30 Jul 2018 03:33:57 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Mon, 30 Jul 2018 03:33:29 +0200
Message-Id: <20180730013330.25612-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.18.0
Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/qtrle: Check remaining
	bytestream in qtrle_decode_XYbpp()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: Timeout
Fixes: 9213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QTRLE_fuzzer-5649753332252672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/qtrle.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
index 670690d0a4..6155b4f3e3 100644
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -155,6 +155,8 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int row_ptr,
         CHECK_PIXEL_PTR(0);
 
         while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
+            if (bytestream2_get_bytes_left(&s->g) < 1)
+                return;
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 pixel_ptr += (num_pixels * (bytestream2_get_byte(&s->g) - 1));
@@ -210,6 +212,8 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, int lines_to_change)
         CHECK_PIXEL_PTR(0);
 
         while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
+            if (bytestream2_get_bytes_left(&s->g) < 1)
+                return;
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 pixel_ptr += (4 * (bytestream2_get_byte(&s->g) - 1));
@@ -259,6 +263,8 @@ static void qtrle_decode_16bpp(QtrleContext *s, int row_ptr, int lines_to_change
         CHECK_PIXEL_PTR(0);
 
         while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
+            if (bytestream2_get_bytes_left(&s->g) < 1)
+                return;
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 2;
@@ -303,6 +309,8 @@ static void qtrle_decode_24bpp(QtrleContext *s, int row_ptr, int lines_to_change
         CHECK_PIXEL_PTR(0);
 
         while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
+            if (bytestream2_get_bytes_left(&s->g) < 1)
+                return;
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 3;
@@ -350,6 +358,8 @@ static void qtrle_decode_32bpp(QtrleContext *s, int row_ptr, int lines_to_change
         CHECK_PIXEL_PTR(0);
 
         while ((rle_code = (int8_t)bytestream2_get_byte(&s->g)) != -1) {
+            if (bytestream2_get_bytes_left(&s->g) < 1)
+                return;
             if (rle_code == 0) {
                 /* there's another skip code in the stream */
                 pixel_ptr += (bytestream2_get_byte(&s->g) - 1) * 4;